Skip to content

Commit

Permalink
Move process storage to separate package
Browse files Browse the repository at this point in the history
The auth state package contained both process state
information and the backing storage used to persist
the state. This turns out to be an expensive package
for consumers that only care about state and not
storage since it brings sqlite into the dependency
tree. By splitting storage out to a separate package
consumers it makes it possible to build client tools
that don't require knowing about process storage to
be built without cgo enabled.
  • Loading branch information
rosstimothy authored and github-actions committed Jun 20, 2024
1 parent 48ae542 commit 470fc8d
Show file tree
Hide file tree
Showing 12 changed files with 234 additions and 207 deletions.
3 changes: 2 additions & 1 deletion integration/hsm/hsm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ import (
"github.com/gravitational/teleport/lib/auth/authclient"
"github.com/gravitational/teleport/lib/auth/keystore"
"github.com/gravitational/teleport/lib/auth/state"
"github.com/gravitational/teleport/lib/auth/storage"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/backend/etcdbk"
"github.com/gravitational/teleport/lib/backend/lite"
Expand Down Expand Up @@ -181,7 +182,7 @@ func TestHSMRotation(t *testing.T) {
}

func getAdminClient(authDataDir string, authAddr string) (*authclient.Client, error) {
identity, err := state.ReadLocalIdentity(
identity, err := storage.ReadLocalIdentity(
filepath.Join(authDataDir, teleport.ComponentProcess),
state.IdentityID{Role: types.RoleAdmin})
if err != nil {
Expand Down
6 changes: 3 additions & 3 deletions integration/instance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ import (
"github.com/gravitational/teleport/api/breaker"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib"
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/auth/state"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/cloud/imds"
"github.com/gravitational/teleport/lib/defaults"
Expand Down Expand Up @@ -141,7 +141,7 @@ func TestInstanceCertReissue(t *testing.T) {
authCfg.InstanceMetadataClient = imds.NewDisabledIMDSClient()

authRunErrCh := make(chan error, 1)
authIdentitiesCh := make(chan *auth.Identity, 2)
authIdentitiesCh := make(chan *state.Identity, 2)
go func() {
authRunErrCh <- service.Run(ctx, *authCfg, func(cfg *servicecfg.Config) (service.Process, error) {
proc, err := service.NewTeleport(cfg)
Expand Down Expand Up @@ -198,7 +198,7 @@ func TestInstanceCertReissue(t *testing.T) {
agentCfg.InstanceMetadataClient = imds.NewDisabledIMDSClient()

agentRunErrCh := make(chan error, 1)
agentIdentitiesCh := make(chan *auth.Identity, 2)
agentIdentitiesCh := make(chan *state.Identity, 2)
go func() {
agentRunErrCh <- service.Run(ctx, *agentCfg, func(cfg *servicecfg.Config) (service.Process, error) {
proc, err := service.NewTeleport(cfg)
Expand Down
14 changes: 0 additions & 14 deletions lib/auth/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -1108,20 +1108,6 @@ func checkResourceConsistency(ctx context.Context, keyStore *keystore.Manager, c
return nil
}

// Identity alias left to prevent breaking builds
// TODO(tross): Delete after teleport.e is updated
type Identity = state.Identity

// IdentityID alias left to prevent breaking builds
// TODO(tross): Delete after teleport.e is updated
type IdentityID = state.IdentityID

// ReadLocalIdentity left to prevent breaking builds
// TODO(tross): Delete after teleport.e is updated
func ReadLocalIdentity(dataDir string, id state.IdentityID) (*Identity, error) {
return state.ReadLocalIdentity(dataDir, id)
}

// GenerateIdentity generates identity for the auth server
func GenerateIdentity(a *Server, id state.IdentityID, additionalPrincipals, dnsNames []string) (*state.Identity, error) {
priv, pub, err := native.GenerateKeyPair()
Expand Down
12 changes: 0 additions & 12 deletions lib/auth/state/identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
package state

import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
Expand Down Expand Up @@ -338,14 +337,3 @@ func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error) {
Cert: cert,
}, nil
}

// ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the
// key storage (dataDir).
func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error) {
storage, err := NewProcessStorage(context.TODO(), dataDir)
if err != nil {
return nil, trace.Wrap(err)
}
defer storage.Close()
return storage.ReadIdentity(IdentityCurrent, id.Role)
}
173 changes: 3 additions & 170 deletions lib/auth/state/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,53 +19,12 @@
package state

import (
"context"
"encoding/json"
"strings"

"github.com/coreos/go-semver/semver"
"github.com/gravitational/trace"

"github.com/gravitational/teleport/api/client/proto"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/utils"
)

// backend implements abstraction over local or remote storage backend methods
// required for Identity/State storage.
// As in backend.Backend, Item keys are assumed to be valid UTF8, which may be enforced by the
// various Backend implementations.
type stateBackend interface {
// Create creates item if it does not exist
Create(ctx context.Context, i backend.Item) (*backend.Lease, error)
// Put puts value into backend (creates if it does not
// exists, updates it otherwise)
Put(ctx context.Context, i backend.Item) (*backend.Lease, error)
// Get returns a single item or not found error
Get(ctx context.Context, key []byte) (*backend.Item, error)
}

// ProcessStorage is a backend for local process state,
// it helps to manage rotation for certificate authorities
// and keeps local process credentials - x509 and SSH certs and keys.
type ProcessStorage struct {
// BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states.
BackendStorage backend.Backend

// stateStorage is the backend to store agents' identities and states.
// it is not required to close stateBackend storage because it's either the same as BackendStorage or it is Kubernetes
// which does not require any close method
stateStorage stateBackend
}

// Close closes all resources used by process storage backend.
func (p *ProcessStorage) Close() error {
// we do not need to close stateBackend storage because it's either the same as backend or it's kubernetes
// which does not require any close method
return p.BackendStorage.Close()
}

const (
// IdentityCurrent is a name for the identity credentials that are
// currently used by the process.
Expand All @@ -75,134 +34,8 @@ const (
IdentityReplacement = "replacement"
// stateName is an internal resource object name
stateName = "state"
// statesPrefix is a key prefix for object states
statesPrefix = "states"
// idsPrefix is a key prefix for identities
idsPrefix = "ids"
)

// GetState reads rotation state from disk.
func (p *ProcessStorage) GetState(ctx context.Context, role types.SystemRole) (*StateV2, error) {
item, err := p.stateStorage.Get(ctx, backend.Key(statesPrefix, strings.ToLower(role.String()), stateName))
if err != nil {
return nil, trace.Wrap(err)
}
var res StateV2
if err := utils.FastUnmarshal(item.Value, &res); err != nil {
return nil, trace.BadParameter(err.Error())
}

// an empty InitialLocalVersion is treated as an error by CheckAndSetDefaults, but if the field
// is missing in the underlying storage, that indicates the state was written by an older version of
// teleport that didn't record InitialLocalVersion. In that case, we set a sentinel value to indicate
// that the version is unknown rather than being erroneously omitted.
if res.Spec.InitialLocalVersion == "" {
res.Spec.InitialLocalVersion = unknownLocalVersion
}

if err := res.CheckAndSetDefaults(); err != nil {
return nil, trace.Wrap(err)
}
return &res, nil
}

// CreateState creates process state if it does not exist yet.
func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error {
if err := state.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
value, err := json.Marshal(state)
if err != nil {
return trace.Wrap(err)
}
item := backend.Item{
Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
Value: value,
}
_, err = p.stateStorage.Create(context.TODO(), item)
if err != nil {
return trace.Wrap(err)
}
return nil
}

// WriteState writes local cluster state to the backend.
func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error {
if err := state.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
value, err := json.Marshal(state)
if err != nil {
return trace.Wrap(err)
}
item := backend.Item{
Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
Value: value,
}
_, err = p.stateStorage.Put(context.TODO(), item)
if err != nil {
return trace.Wrap(err)
}
return nil
}

// ReadIdentity reads identity using identity name and role.
func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error) {
if name == "" {
return nil, trace.BadParameter("missing parameter name")
}
item, err := p.stateStorage.Get(context.TODO(), backend.Key(idsPrefix, strings.ToLower(role.String()), name))
if err != nil {
return nil, trace.Wrap(err)
}
var res IdentityV2
if err := utils.FastUnmarshal(item.Value, &res); err != nil {
return nil, trace.BadParameter(err.Error())
}
if err := res.CheckAndSetDefaults(); err != nil {
return nil, trace.Wrap(err)
}
return ReadIdentityFromKeyPair(res.Spec.Key, &proto.Certs{
SSH: res.Spec.SSHCert,
TLS: res.Spec.TLSCert,
TLSCACerts: res.Spec.TLSCACerts,
SSHCACerts: res.Spec.SSHCACerts,
})
}

// WriteIdentity writes identity to the backend.
func (p *ProcessStorage) WriteIdentity(name string, id Identity) error {
res := IdentityV2{
ResourceHeader: types.ResourceHeader{
Kind: types.KindIdentity,
Version: types.V2,
Metadata: types.Metadata{
Name: name,
},
},
Spec: IdentitySpecV2{
Key: id.KeyBytes,
SSHCert: id.CertBytes,
TLSCert: id.TLSCertBytes,
TLSCACerts: id.TLSCACertsBytes,
SSHCACerts: id.SSHCACertBytes,
},
}
if err := res.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
value, err := json.Marshal(res)
if err != nil {
return trace.Wrap(err)
}
item := backend.Item{
Key: backend.Key(idsPrefix, strings.ToLower(id.ID.Role.String()), name),
Value: value,
}
_, err = p.stateStorage.Put(context.TODO(), item)
return trace.Wrap(err)
}

// StateV2 is a local process state.
type StateV2 struct {
// ResourceHeader is a common resource header.
Expand All @@ -214,7 +47,7 @@ type StateV2 struct {
// GetInitialLocalVersion gets the initial local version string. If ok is false it indicates that
// this state value was written by a teleport agent that was too old to record the initial local version.
func (s *StateV2) GetInitialLocalVersion() (v string, ok bool) {
return s.Spec.InitialLocalVersion, s.Spec.InitialLocalVersion != unknownLocalVersion
return s.Spec.InitialLocalVersion, s.Spec.InitialLocalVersion != UnknownLocalVersion
}

// CheckAndSetDefaults checks and sets defaults values.
Expand Down Expand Up @@ -242,10 +75,10 @@ func (s *StateV2) CheckAndSetDefaults() error {
return nil
}

// unknownVersion is a sentinel value used to distinguish between InitialLocalVersion being missing from
// UnknownVersion is a sentinel value used to distinguish between InitialLocalVersion being missing from
// state due to malformed input and InitialLocalVersion being missing due to the state having been created before
// teleport started recording InitialLocalVersion.
const unknownLocalVersion = "unknown"
const UnknownLocalVersion = "unknown"

// StateSpecV2 is a state spec.
type StateSpecV2 struct {
Expand Down
Loading

0 comments on commit 470fc8d

Please sign in to comment.